1. Chapter 14 Computer Security Threats
Operating Systems: Internals and Design Principles
Chapter 14 Computer Security Threats
“Operating Systems: Internal and Design Principles”, 7/e, by William Stallings, Chapter 14 “Computer Security Threats”.
Seventh Edition By William Stallings

2. Operating Systems: Internals and Design Principles
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
— THE ART OF WAR,
Sun Tzu
This chapter provides an overview of security threats. We begin with a discussion of what we mean by computer security.
In essence, computer security deals with computer-related assets that are subject to a variety of threats and for which various
measures are taken to protect those assets. The remainder of the chapter looks at the two broad categories of computer and
network security threats: intruders and malicious software.
Cryptographic algorithms, such as encryption and hash functions, play a role
both in computer security threats and computer security techniques. Appendix K
provides an overview of these algorithms.

3. Computer Security
The NIST (National Institute of Standards and Technology) Computer Security Handbook defines computer security as:
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
The NIST Computer Security Handbook [NIST95] defines the term computer
security as follows:
Computer security: The protection afforded to an automated information system
in order to attain the applicable objectives of preserving the integrity, availability,
and confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications).

4. Key Objectives of Computer Security
Confidentiality
Data confidentiality assures that private or confidential information is not made available or disclosed to unauthorized individuals
Privacy assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed
Integrity
Data integrity assures that information and programs are changed only in a specified and authorized manner
System integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system
Availability
assures that systems work promptly and service is not denied to authorized users
This definition introduces three key objectives that are at the heart of computer
security:
• Confidentiality : This term covers two related concepts:
— Data 1 confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals
— Privacy : Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to whom
that information may be disclosed
• Integrity : This term covers two related concepts:
— Data integrity : Assures that information and programs are changed only in
a specified and authorized manner
— System integrity : Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system
• Availability : Assures that systems work promptly and service is not denied to
authorized users

5. CIA Triad Security Objectives: Confidentiality
- a loss of confidentiality is the unauthorized disclosure of information
Integrity
- a loss of integrity is the unauthorized modification or destruction of information
Availability
- a loss of availability is the disruption of access to or use of information or an information system
These three concepts form what is often referred to as the CIA triad ( Figure 14.1 ).
The three concepts embody the fundamental security objectives for both data and
for information and computing services. For example, the NIST standard FIPS 199
( Standards for Security Categorization of Federal Information and Information Systems )
lists confidentiality, integrity, and availability as the three security objectives for information
and for information systems. FIPS PUB 199 provides a useful characterization
of these three objectives in terms of requirements and the definition of a loss of security
in each category:
• Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of
information.
• Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of
integrity is the unauthorized modification or destruction of information.
• Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.

6. Additional Concepts Accountability Authenticity
Two further concepts are often added to the core of computer security:
Accountability
Authenticity
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity
We must be able to trace a security breach to a responsible party
Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator
Verifying that users are who they say they are and that each input arriving at the system came from a trusted source
Although the use of the CIA triad to define security objectives is well established,
some in the security field feel that additional concepts are needed to present
a complete picture. Two of the most commonly mentioned are as follows:
• Authenticity : The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
• Accountability : The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention,
and after-action recovery and legal action. Because truly secure systems
aren’t yet an achievable goal, we must be able to trace a security breach to
a responsible party. Systems must keep records of their activities to permit
later forensic analysis to trace security breaches or to aid in transaction
disputes.
Note that FIPS PUB 199 includes authenticity under integrity.

7. Threats & Their Effects
Multiple threatening actions generate four types of consequences:
Unauthorized disclosure
Deception
Disruption
Usurpation

8. Table 14.1 ----- Unauthorized Disclosure
Threat Consequences, and the Types of Threat Actions
That Cause Each Consequence
(Based on RFC 2828)
Table 14.1 , based on RFC 2828, describes four kinds of threat consequences and
lists the kinds of attacks that result in each consequence.
Unauthorized disclosure is a threat to confidentiality. The following types of
attacks can result in this threat consequence:
• Exposure : This can be deliberate, as when an insider intentionally releases sensitive
information, such as credit card numbers, to an outsider. It can also be the
result of a human, hardware, or software error, which results in an entity gaining
unauthorized knowledge of sensitive data. There have been numerous instances
of this, such as universities accidentally posting student confidential information
on the Web.
• Interception : Interception is a common attack in the context of communications.
On a shared local area network (LAN), such as a wireless LAN or a
broadcast Ethernet, any device attached to the LAN can receive a copy of
packets intended for another device. On the Internet, a determined hacker
can gain access to traffic and other data transfers. All of these situations
create the potential for unauthorized access to data.
• Inference: An example of inference is known as traffic analysis, in which an
adversary is able to gain information from observing the pattern of traffic on
a network, such as the amount of traffic between particular pairs of hosts on
the network. Another example is the inference of detailed information from
a database by a user who has only limited access; this is accomplished by
repeated queries whose combined results enable inference.
Intrusion : An example of intrusion is an adversary gaining unauthorized access
to sensitive data by overcoming the system’s access control protections.

9. Table Deception
Threat Consequences, and the Types of Threat Actions
That Cause Each Consequence
(Based on RFC 2828)
Deception is a threat to either system integrity or data integrity. The following
types of attacks can result in this threat consequence:
• Masquerade : One example of masquerade is an attempt by an unauthorized
user to gain access to a system by posing as an authorized user; this
could happen if the unauthorized user has learned another user’s logon ID
and password. Another example is malicious logic, such as a Trojan horse,
that appears to perform a useful or desirable function but actually gains
unauthorized access to system resources or tricks a user into executing other
malicious logic.
• Falsification : This refers to the altering or replacing of valid data or the introduction
of false data into a file or database. For example, a student may alter
his or her grades on a school database.
• Repudiation : In this case, a user either denies sending data or a user denies
receiving or possessing the data.

10. Table 14.1 ----- Disruption
Threat Consequences, and the Types of Threat Actions
That Cause Each Consequence
(Based on RFC 2828)
Disruption is a threat to availability or system integrity. The following types of
attacks can result in this threat consequence:
• Incapacitation: This is an attack on system availability. This could occur as a
result of physical destruction of or damage to system hardware. More typically,
malicious software, such as Trojan horses, viruses, or worms, could operate in
such a way as to disable a system or some of its services.
• Corruption: This is an attack on system integrity. Malicious software in this
context could operate in such a way that system resources or services function
in an unintended manner. Or a user could gain unauthorized access to
a system and modify some of its functions. An example of the latter is a user
placing backdoor logic in the system to provide subsequent access to a system
and its resources by other than the usual procedure.
• Obstruction: One way to obstruct system operation is to interfere with communications
by disabling communication links or altering communication
control information. Another way is to overload the system by placing excess
burden on communication traffic or processing resources.

11. Table 14.1 ----- Usurpation
Threat Consequences, and the Types of Threat Actions
That Cause Each Consequence
(Based on RFC 2828)
Usurpation is a threat to system integrity. The following types of attacks can
result in this threat consequence:
• Misappropriation: This can include theft of service. An example is a distributed
denial of service attack, when malicious software is installed on a number
of hosts to be used as platforms to launch traffic at a target host. In this case,
the malicious software makes unauthorized use of processor and operating
system resources.
• Misuse: Misuse can occur either by means of malicious logic or a hacker that
has gained unauthorized access to a system. In either case, security functions
can be disabled or thwarted.

12. Scope of System Security
The assets of a computer system can be categorized as hardware, software, data,
and communication lines and networks. In this subsection, we briefly describe these
four categories and relate these to the concepts of integrity, confidentiality, and
availability introduced in Section 14.1 (see Figure 14.2 and Table 14.2 ).

13. Examples of Threats to System Assets
HARDWARE
A major threat to computer system hardware is the threat to
availability. Hardware is the most vulnerable to attack and the least susceptible to
automated controls. Threats include accidental and deliberate damage to equipment
as well as theft. The proliferation of personal computers and workstations and the
widespread use of LANs increase the potential for losses in this area. Theft of
CD-ROMs and DVDs can lead to loss of confidentiality. Physical and administrative
security measures are needed to deal with these threats.
SOFTWARE
Software includes the operating system, utilities, and application
programs. A key threat to software is an attack on availability. Software, especially
application software, is often easy to delete. Software can also be altered or
damaged to render it useless. Careful software configuration management, which
includes making backups of the most recent version of software, can maintain high
availability. A more difficult problem to deal with is software modification that
results in a program that still functions but that behaves differently than before,
which is a threat to integrity/authenticity. Computer viruses and related attacks fall
into this category. A final problem is protection against software piracy. Although
certain countermeasures are available, by and large the problem of unauthorized
copying of software has not been solved.
DATA
Hardware and software security are typically concerns of computing center
professionals or individual concerns of personal computer users. A much more
widespread problem is data security, which involves files and other forms of data
controlled by individuals, groups, and business organizations.
Security concerns with respect to data are broad, encompassing availability,
secrecy, and integrity. In the case of availability, the concern is with the destruction
of data files, which can occur either accidentally or maliciously.
The obvious concern with secrecy is the unauthorized reading of data files or
databases, and this area has been the subject of perhaps more research and effort
than any other area of computer security. A less obvious threat to secrecy involves
the analysis of data and manifests itself in the use of so-called statistical databases,
which provide summary or aggregate information. Presumably, the existence of
aggregate information does not threaten the privacy of the individuals involved.
However, as the use of statistical databases grows, there is an increasing potential
for disclosure of personal information. In essence, characteristics of constituent
individuals may be identified through careful analysis. For example, if one table
records the aggregate of the incomes of respondents A, B, C, and D and another
records the aggregate of the incomes of A, B, C, D, and E, the difference between
the two aggregates would be the income of E. This problem is exacerbated by the
increasing desire to combine data sets. In many cases, matching several sets of data
for consistency at different levels of aggregation requires access to individual units.
Thus, the individual units, which are the subject of privacy concerns, are available at
various stages in the processing of data sets.
Finally, data integrity is a major concern in most installations. Modifications
to data files can have consequences ranging from minor to disastrous.

14. Passive Attacks
Attempts to learn or make use of information from the system but does not affect system resources
Are in the nature of eavesdropping on, or monitoring of, transmissions
Goal of the attacker is to obtain information that is being transmitted
Difficult to detect because they do not involve any alteration of the data
is feasible to prevent the success of these attacks by means of encryption
Emphasis in dealing with passive attacks is on prevention rather than detection
Network security attacks can be classified
as passive attacks and active attacks . A passive attack attempts to learn or make
use of information from the system but does not affect system resources. An active
attack attempts to alter system resources or affect their operation.
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the attacker is to obtain information that is being transmitted.
Two types of passive attacks are release of message contents and traffic analysis.
The concept of release of message contents , is easily understood. A telephone
conversation, an electronic mail message, and a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
Traffic analysis is a more subtle form of passive attack. Suppose that we had a
way of masking the contents of messages or other information traffic so that opponents,
even if they captured the message, could not extract the information from
the message. The common technique for masking contents is encryption. If we had
encryption protection in place, an opponent might still be able to observe the pattern
of these messages. The opponent could determine the location and identity of
communicating hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of the communication
that was taking place.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an apparently
normal fashion, and neither the sender nor the receiver is aware that a third
party has read the messages or observed the traffic pattern. However, it is feasible
to prevent the success of these attacks, usually by means of encryption. Thus, the
emphasis in dealing with passive attacks is on prevention rather than detection.
Types:
release of message contents
traffic analysis

15. Active Attacks
Involve some modification of the data stream or the creation of a false stream
Four categories:
Replay
involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Masquerade
takes place when one entity pretends to be a different entity
Modification of messages
some portion of a legitimate message is altered, or messages are delayed or reordered, to produce an unauthorized effect
Denial of service
prevents or inhibits the normal use or management of communications facilities
disruption of an entire network either by disabling the network or by overloading it with messages so as to degrade performance
Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: replay, masquerade,
modification of messages, and denial of service.
Replay involves the passive capture of a data unit and its subsequent retransmission
to produce an unauthorized effect.
A masquerade takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges
to obtain extra privileges by impersonating an entity that has those privileges.
Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect. For example, a message stating, “Allow John Smith to read confidential
file accounts ” is modified to say, “Allow Fred Brown to read confidential
file accounts .”
The denial of service prevents or inhibits the normal use or management of
communications facilities. This attack may have a specific target; for example, an
entity may suppress all messages directed to a particular destination (e.g., the security
audit service). Another form of service denial is the disruption of an entire network,
either by disabling the network or by overloading it with messages so as to degrade
performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely,
because to do so would require physical protection of all communications facilities
and paths at all times. Instead, the goal is to detect them and to recover from any
disruption or delays caused by them. Because the detection has a deterrent effect, it
may also contribute to prevention.

16. Intruder Behavior Patterns
Hackers: usually in it for fun and status, not necessarily looking for financial gain
Criminals: organized, efficient, may have a social or financial objective
Internal threats: Employees, usually – may have a grudge against the company.
See page 617 for more details

17. Malware General term for any malicious software
Software designed to cause damage to or use up the resources of a target computer
Frequently concealed within or masquerades as legitimate software
In some cases it spreads itself to other computers via or infected discs
The concept of malicious software, or malware, was introduced in Section Malware
is software designed to cause damage to or use up the resources of a target computer.
It is frequently concealed within or masquerades as legitimate software. In some cases,
it spreads itself to other computers via or infected discs. The terminology in this
area presents problems because of a lack of universal agreement on all of the terms
and because some of the categories overlap. Table 14.4 is a useful guide.
In this section, we briefly survey some of the key categories of malicious software,
deferring discussion on the key topics of viruses, worms, bots, and rootkits
until the following sections.

18. Table 14.4 Terminology of Malicious Programs
Table 14.4 is a useful guide of Malicious Programs.

19. Backdoor Also known as a trapdoor
A secret entry point into a program that allows someone to gain access without going through the usual security access procedures
A maintenance hook is a backdoor that programmers use to debug and test programs
Become threats when unscrupulous programmers use them to gain unauthorized access
It is difficult to implement operating system controls for backdoors
A backdoor , also known as a trapdoor , is a secret entry point into a program
that allows someone who is aware of the backdoor to gain access without going
through the usual security access procedures. Programmers have used backdoors
legitimately for many years to debug and test programs; such a backdoor is called
a maintenance hook . This usually is done when the programmer is developing an
application that has an authentication procedure, or a long setup, requiring the user
to enter many different values to run the application. To debug the program, the
developer may wish to gain special privileges or to avoid all the necessary setup and
authentication. The programmer may also want to ensure that there is a method of
activating the program should something be wrong with the authentication procedure
that is being built into the application. The backdoor is code that recognizes
some special sequence of input or is triggered by being run from a certain user ID or
by an unlikely sequence of events.
Backdoors become threats when unscrupulous programmers use them to
gain unauthorized access. The backdoor was the basic idea for the vulnerability
portrayed in the movie War Games . Another example is that during the development
of Multics, penetration tests were conducted by an Air Force “tiger team”
(simulating adversaries). One tactic employed was to send a bogus operating system
update to a site running Multics. The update contained a Trojan horse (described
later) that could be activated by a backdoor and that allowed the tiger team to gain
access. The threat was so well implemented that the Multics developers could not
find it, even after they were informed of its presence [ENGE80].
It is difficult to implement operating system controls for backdoors. Security
measures must focus on the program development and software update activities.

20. Logic Bomb One of the oldest types of program threat
Code embedded in some legitimate program that is set to “explode” when certain conditions are met
Once triggered a bomb may alter or delete data or entire files, cause a machine halt, or do some other damage
One of the oldest types of program threat, predating viruses and worms, is the logic
bomb. The logic bomb is code embedded in some legitimate program that is set to
“explode” when certain conditions are met. Examples of conditions that can be used
as triggers for a logic bomb are the presence or absence of certain files, a particular
day of the week or date, or a particular user running the application. Once triggered,
a bomb may alter or delete data or entire files, cause a machine halt, or do some
other damage. A striking example of how logic bombs can be employed was the
case of Tim Lloyd, who was convicted of setting a logic bomb that cost his employer,
Omega Engineering, more than $10 million, derailed its corporate growth strategy,
and eventually led to the layoff of 80 workers [GAUD00]. Ultimately, Lloyd was
sentenced to 41 months in prison and ordered to pay $2 million in restitution.

21. Trojan Horse
Useful, or apparently useful, program or command procedure that contains hidden code that, when invoked, performs some unwanted or harmful function
Trojan horses fit into one of three models:
continuing to perform the function of the original program and additionally performing a separate malicious activity
continuing to perform the function of the original program but modifying the function to perform malicious activity or to disguise other malicious activity
performing a malicious function that completely replaces the function of the original program
A Trojan horse is a useful, or apparently useful, program or command procedure
containing hidden code that, when invoked, performs some unwanted or harmful
function.
Trojan horse programs can be used to accomplish functions indirectly that an
unauthorized user could not accomplish directly. For example, to gain access to the
files of another user on a shared system, a user could create a Trojan horse program
that, when executed, changes the invoking user’s file permissions so that the files
are readable by any user. The author could then induce users to run the program by
placing it in a common directory and naming it such that it appears to be a useful
utility program or application. An example is a program that ostensibly produces
a listing of the user’s files in a desirable format. After another user has run the
program, the author of the program can then access the information in the user’s
files. An example of a Trojan horse program that would be difficult to detect is a
compiler that has been modified to insert additional code into certain programs as
they are compiled, such as a system login program [THOM84]. The code creates a
backdoor in the login program that permits the author to log on to the system using
a special password. This Trojan horse can never be discovered by reading the source
code of the login program.
Another common motivation for the Trojan horse is data destruction. The
program appears to be performing a useful function (e.g., a calculator program),
but it may also be quietly deleting the user’s files. For example, a CBS executive
was victimized by a Trojan horse that destroyed all information contained in his
computer’s memory [TIME90]. The Trojan horse was implanted in a graphics routine
offered on an electronic bulletin board system.
Trojan horses fit into one of three models:
• Continuing to perform the function of the original program and additionally
performing a separate malicious activity
• Continuing to perform the function of the original program but modifying the
function to perform malicious activity (e.g., a Trojan horse version of a login
program that collects passwords) or to disguise other malicious activity (e.g., a
Trojan horse version of a process listing program that does not display certain
processes that are malicious)
• Performing a malicious function that completely replaces the function of the
original program

22. Mobile Code
Programs that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics
Transmitted from a remote system to a local system and then executed on the local system without the user’s explicit instruction
Often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted to the user’s workstation
Takes advantages of vulnerabilities
Popular vehicles for mobile code include Java applets, ActiveX, JavaScript, and VBScript
Mobile code refers to programs (e.g., script, macro, or other portable instruction)
that can be shipped unchanged to a heterogeneous collection of platforms and execute
with identical semantics [JANS01]. The term also applies to situations involving
a large homogeneous collection of platforms (e.g., Microsoft Windows).
Mobile code is transmitted from a remote system to a local system and then
executed on the local system without the user’s explicit instruction. Mobile code
often acts as a mechanism for a virus, worm, or Trojan horse to be transmitted
to the user’s workstation. In other cases, mobile code takes advantage of vulnerabilities
to perform its own exploits, such as unauthorized data access or root
compromise. Popular vehicles for mobile code include Java applets, ActiveX,
JavaScript, and VBScript. The most common ways of using mobile code for
malicious operations on local system are cross-site scripting, interactive and
dynamic Web sites, attachments, and downloads from untrusted sites or
of untrusted software.

23. Multiple-Threat Malware
Infects in multiple ways
Typically the multipartite virus is capable of infecting multiple types of files
A blended attack uses multiple methods of infection or transmission to maximize the speed of contagion and the severity of the attack
An example of a blended attack is the Nimda attack
Viruses and other malware may operate in multiple ways. The terminology is far
from uniform; this subsection gives a brief introduction to several related concepts
that could be considered multiple-threat malware.
A multipartite virus infects in multiple ways. Typically, the multipartite virus
is capable of infecting multiple types of files, so that virus eradication must deal with
all of the possible sites of infection.
A blended attack uses multiple methods of infection or transmission, to maximize
the speed of contagion and the severity of the attack. Some writers characterize
a blended attack as a package that includes multiple types of malware. An example
of a blended attack is the Nimda attack, erroneously referred to as simply a worm.
Nimda uses four distribution methods:
• A user on a vulnerable host opens an infected attachment;
Nimda looks for addresses on the host and then sends copies of itself to
those addresses.
Windows shares: Nimda scans hosts for unsecured Windows file shares; it can
then use NetBIOS86 as a transport mechanism to infect files on that host in
the hopes that a user will run an infected file, which will activate Nimda on
that host.
• Web servers: Nimda scans Web servers, looking for known vulnerabilities in
Microsoft IIS. If it finds a vulnerable server, it attempts to transfer a copy of
itself to the server and infect it and its files.
• Web clients: If a vulnerable Web client visits a Web server that has been
infected by Nimda, the client’s workstation will become infected.
Thus, Nimda has worm, virus, and mobile code characteristics. Blended attacks
may also spread through other services, such as instant messaging and peer-to-peer
file sharing.
Windows shares
Web servers
Web clients
Nimda uses four distribution methods:

24. Viruses Software that “infects” other programs by modifying them
carries instructional code to self duplicate
becomes embedded in a program on a computer
when the infected computer comes into contact with an uninfected piece of software, a fresh copy of the virus passes into the new program
infection can be spread by swapping disks from computer to computer or through a network
A computer virus has three parts:
an infection mechanism
trigger
payload
A computer virus is a piece of software that can “infect” other programs by modifying
them; the modification includes injecting the original program with a routine to
make copies of the virus program, which can then go on to infect other programs.
Biological viruses are tiny scraps of genetic code—DNA or RNA—that can
take over the machinery of a living cell and trick it into making thousands of flawless
replicas of the original virus. Like its biological counterpart, a computer virus
carries in its instructional code the recipe for making perfect copies of itself. The
typical virus becomes embedded in a program on a computer. Then, whenever the
infected computer comes into contact with an uninfected piece of software, a fresh
copy of the virus passes into the new program. Thus, the infection can be spread
from computer to computer by unsuspecting users who either swap disks or send
programs to one another over a network. In a network environment, the ability
to access applications and system services on other computers provides a perfect
culture for the spread of a virus.
A virus can do anything that other programs do. The
only difference is that it attaches itself to another program and executes secretly
when the host program is run. Once a virus is executing, it can perform any function
that is allowed by the privileges of the current user, such as erasing files and
programs.
A computer virus has three parts [AYCO06]:
• Infection mechanism : The means by which a virus spreads, enabling it to replicate.
The mechanism is also referred to as the infection vector .
• Trigger: The event or condition that determines when the payload is activated
or delivered.
• Payload: What the virus does, besides spreading. The payload may involve
damage or may involve benign but noticeable activity.

25. Virus Phases Execution Phase the function is performed
Dormant Phase
the virus is idle
will eventually be activated by some event
not all viruses have this stage
Propagation Phase
the virus places an identical copy of itself into other programs or into certain system areas on the disk
Triggering Phase
the virus is activated to perform the function for which it was intended
triggering phase can be caused by a variety of system events
Execution Phase
the function is performed
the function may be harmless (message on screen) or damaging (destruction of programs and data files)
During its lifetime, a typical virus goes through the following four phases:
• Dormant phase: The virus is idle. The virus will eventually be activated by
some event, such as a date, the presence of another program or file, or the
capacity of the disk exceeding some limit. Not all viruses have this stage.
• Propagation phase: The virus places an identical copy of itself into other programs
or into certain system areas on the disk. Each infected program will
now contain a clone of the virus, which will itself enter a propagation phase.
• Triggering phase: The virus is activated to perform the function for which it
was intended. As with the dormant phase, the triggering phase can be caused
by a variety of system events, including a count of the number of times that
this copy of the virus has made copies of itself.
• Execution phase: The function is performed. The function may be harmless,
such as a message on the screen, or damaging, such as the destruction of
programs and data files.
Most viruses carry out their work in a manner that is specific to a particular
operating system and, in some cases, specific to a particular hardware platform. Thus,
they are designed to take advantage of the details and weaknesses of particular
systems.

26. Virus Classification Boot sector infector File infector Macro virus
There is no universally agreed upon classification scheme for viruses
Classification by target includes the following categories:
Boot sector infector
infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus
File infector
infects files that the operating system or shell consider to be executable
Macro virus
infects files with macro code that is interpreted by an application
There has been a continuous arms race between virus
writers and writers of antivirus software since viruses first appeared. As effective
countermeasures are developed for existing types of viruses, newer types are
developed. There is no simple or universally agreed upon classification scheme
for viruses. In this section, we follow [AYCO06] and classify viruses along two
orthogonal axes: the type of target the virus tries to infect, and the method the
virus uses to conceal itself from detection by users and antivirus software.
A virus classification by target includes the following categories:
• Boot sector infector: Infects a master boot record or boot record and spreads
when a system is booted from the disk containing the virus
• File infector: Infects files that the operating system or shell consider to be
executable
• Macro virus : Infects files with macro code that is interpreted by an application

27. Concealment Strategy
A virus classification by concealment strategy includes:
Encrypted virus
random encryption key encrypts remainder of virus
Stealth virus
hides itself from detection of antivirus software
Polymorphic virus
mutates with every infection
mutation engine is the portion of the virus that is responsible for generating keys and performing encryption/decryption
Metamorphic virus
rewrites itself completely after every iteration
A virus classification by concealment strategy includes the following categories:
• Encrypted virus: A typical approach is as follows. A portion of the virus
creates a random encryption key and encrypts the remainder of the virus.
The key is stored with the virus. When an infected program is invoked, the
virus uses the stored random key to decrypt the virus. When the virus replicates,
a different random key is selected. Because the bulk of the virus is
encrypted with a different key for each instance, there is no constant bit
pattern to observe.
Stealth virus: A form of virus explicitly designed to hide itself from detection
by antivirus software. Thus, the entire virus, not just a payload is hidden.
• Polymorphic virus: A virus that mutates with every infection, making detection
by the “signature” of the virus impossible.
• Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates
with every infection. The difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of detection. Metamorphic
viruses may change their behavior as well as their appearance.
One example of a stealth virus was discussed earlier: A virus that uses compression
so that the infected program is exactly the same length as an uninfected
version. Far more sophisticated techniques are possible. For example, a virus can
place intercept logic in disk I/O routines, so that when there is an attempt to read
suspected portions of the disk using these routines, the virus will present back the
original, uninfected program. Thus, stealth is not a term that applies to a virus as
such but, rather, refers to a technique used by a virus to evade detection.
A polymorphic virus creates copies during replication that are functionally
equivalent but have distinctly different bit patterns. As with a stealth virus, the
purpose is to defeat programs that scan for viruses. In this case, the “signature” of
the virus will vary with each copy. To achieve this variation, the virus may randomly
insert superfluous instructions or interchange the order of independent instructions.
A more effective approach is to use encryption. The strategy of the encryption
virus is followed. The portion of the virus that is responsible for generating keys and
performing encryption/decryption is referred to as the mutation engine . The mutation
engine itself is altered with each use.

28. Viruses
The first rapidly spreading viruses made use of a Microsoft Word macro embedded in an attachment
In 1999 a newer, more powerful version of the virus appeared
can be activated merely by opening an that contains the virus rather than opening an attachment
the virus uses the Visual Basic scripting language supported by the package
If the recipient opens the attachment the Word macro is activated
the virus sends itself to everyone on the mailing list in the user’s package
the virus does local damage on the user’s system
A more recent development in malicious software is the
virus. The first rapidly spreading viruses, such as Melissa, made use of
a Microsoft Word macro embedded in an attachment. If the recipient opens the
attachment, the Word macro is activated. Then
1. The virus sends itself to everyone on the mailing list in the user’s
package.
2. The virus does local damage on the user’s system.
In 1999, a more powerful version of the virus appeared. This newer
version can be activated merely by opening an that contains the virus rather
than opening an attachment. The virus uses the Visual Basic scripting language
supported by the package.
Thus we see a new generation of malware that arrives via and uses
software features to replicate itself across the Internet. The virus propagates
itself as soon as it is activated (either by opening an attachment or by
opening the ) to all of the addresses known to the infected host. As a
result, whereas viruses used to take months or years to propagate, they now do so
in hours. This makes it very difficult for antivirus software to respond before much
damage is done. Ultimately, a greater degree of security must be built into Internet
utility and application software on PCs to counter the growing threat.

29. Worms
A program that can replicate itself and send copies from computer to computer across network connections
Upon arrival the worm may be activated to replicate and propagate again
In addition to propagation the worm usually performs some unwanted function
Actively seeks out more machines to infect and each machine that is infected serves as an automate launching pad for attacks on other machines
A worm is a program that can replicate itself and send copies from computer to
computer across network connections. Upon arrival, the worm may be activated to
replicate and propagate again. In addition to propagation, the worm usually performs
some unwanted function. An virus has some of the characteristics of a worm
because it propagates itself from system to system. However, we can still classify it as a
virus because it uses a document modified to contain viral macro content and requires
human action. A worm actively seeks out more machines to infect and each machine
that is infected serves as an automated launching pad for attacks on other machines.
Network worm programs use network connections to spread from system to
system. Once active within a system, a network worm can behave as a computer
virus or bacteria, or it could implant Trojan horse programs or perform any number
of disruptive or destructive actions.

30. Worm Propagation Electronic mail facility Remote execution capability
To replicate itself a network worm uses some sort of network vehicle
a worm mails a copy of itself to other systems so that its code is run when the or an attachment is received or viewed
Electronic mail facility
a worm executes a copy of itself on another system either using an explicit remote execution facility or by exploiting a program flaw in a network service to subvert its operations
Remote execution capability
a worm logs on to a remote system as a user and then uses commands to copy itself from one system to the other
Remote log-in capability
To replicate itself, a network worm uses some sort of network vehicle.
Examples include the following:
• Electronic mail facility: A worm mails a copy of itself to other systems, so that
its code is run when the or an attachment is received or viewed.
• Remote execution capability: A worm executes a copy of itself on another
system, either using an explicit remote execution facility or by exploiting a
program flaw in a network service to subvert its operations (such as buffer
overflow, described in Chapter 7 ).
• Remote login capability: A worm logs on to a remote system as a user and
then uses commands to copy itself from one system to the other, where it then
executes.
The new copy of the worm program is then run on the remote system where, in
addition to any functions that it performs at that system, it continues to spread in
the same fashion.
A network worm exhibits the same characteristics as a computer virus: a
dormant phase, a propagation phase, a triggering phase, and an execution phase.
The propagation phase generally performs the following functions:
1. Search for other systems to infect by examining host tables or similar repositories
of remote system addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
The network worm may also attempt to determine whether a system has previously
been infected before copying itself to the system. In a multiprogramming
system, it may also disguise its presence by naming itself as a system process or using
some other name that may not be noticed by a system operator.
As with viruses, network worms are difficult to counter.

31. Bots
A program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the bot’s creator
also known as a Zombie or drone
Typically planted on hundreds or thousands of computers belonging to unsuspecting third parties
Collection of bots acting in a coordinated manner is a botnet
A botnet exhibits three characteristics:
the bot functionality
a remote control facility
a spreading mechanism to propagate the bots and construct the botnet
A bot (robot), also known as a zombie or drone, is a program that secretly takes
over another Internet-attached computer and then uses that computer to launch
attacks that are difficult to trace to the bot’s creator. The bot is typically planted on
hundreds or thousands of computers belonging to unsuspecting third parties. The
collection of bots often is capable of acting in a coordinated manner; such a collection
is referred to as a botnet .
A botnet exhibits three characteristics: the bot functionality, a remote control
facility, and a spreading mechanism to propagate the bots and construct the botnet.
We examine each of these characteristics in turn.

32. Uses of Bots Distributed denial-of-service (DDoS) attacks
Spreading new malware
botnets are used to spread new bots
Installing advertisement add-ons and browser helper objects (BHOs)
set up a fake Web site and negotiate a deal with hosting companies that pay for clicks on ads
Attacking Internet Relay chat (IRC) chat networks
victim is flooded with requests, bringing down the IRC network; similar to a DDoS attack
Manipulating online polls/games
every bot has a distinct IP address so it appears to be a real person
Distributed denial-of-service (DDoS) attacks
causes a loss of service to users
Spamming
sending massive amounts of bulk (spam)
Sniffing traffic
a packet sniffer is used to retrieve sensitive information like user names and passwords
Keylogging
captures keystrokes
Uses of
USES OF BOTS [HONE05] lists the following uses of bots:
• Distributed denial-of-service (DDoS) attacks : A DDoS attack is an attack on
a computer system or network that causes a loss of service to users.
• Spamming: With the help of a botnet and thousands of bots, an attacker is able
to send massive amounts of bulk (spam).
• Sniffing traffic: Bots can also use a packet sniffer to watch for interesting cleartext
data passing by a compromised machine. The sniffers are mostly used to
retrieve sensitive information like usernames and passwords.
• Keylogging: If the compromised machine uses encrypted communication
channels (e.g., HTTPS or POP3S), then just sniffing the network packets on
the victim’s computer is useless because the appropriate key to decrypt the
packets is missing. But by using a keylogger, which captures keystrokes on the
infected machine, an attacker can retrieve sensitive information. An implemented
filtering mechanism (e.g., “I am only interested in key sequences near
the keyword ‘paypal.com’ ”) further helps in stealing secret data.
• Spreading new malware: Botnets are used to spread new bots. This is very
easy since all bots implement mechanisms to download and execute a file via
HTTP or FTP. A botnet with 10,000 hosts that acts as the start base for a
worm or mail virus allows very fast spreading and thus causes more harm.
• Installing advertisement add-ons and browser helper objects (BHOs): Botnets
can also be used to gain financial advantages. This works by setting up a fake
Web site with some advertisements: The operator of this Web site negotiates a
deal with some hosting companies that pay for clicks on ads. With the help of
a botnet, these clicks can be “automated” so that instantly a few thousand bots
click on the pop-ups. This process can be further enhanced if the bot hijacks
the start page of a compromised machine so that the “clicks” are executed
each time the victim uses the browser.
• Attacking IRC chat networks: Botnets are also used for attacks against
Internet Relay Chat (IRC) networks. Popular among attackers is especially
the so-called clone attack: In this kind of attack, the controller orders each bot
to connect a large number of clones to the victim IRC network. The victim is
flooded by service requests from thousands of bots or thousands of channeljoins
by these cloned bots. In this way, the victim IRC network is brought
down, similar to a DDoS attack.
Manipulating online polls/games: Online polls/games are getting more and
more attention, and it is rather easy to manipulate them with botnets. Since
every bot has a distinct IP address, every vote will have the same credibility
as a vote cast by a real person. Online games can be manipulated in a
similar way.
Bots

33. Remote Control Facility
Distinguishes a bot from a worm
a worm propagates and activates itself, whereas a bot is controlled from some central facility
A typical means of implementing the remote control facility is on an IRC server
all bots join a specific channel on this server and treat incoming messages as commands
More recent botnets tend to use covert communication channels via protocols such as HTTP
Distributed control mechanisms are also used to avoid a single point of failure
The remote control facility is what distinguishes a
bot from a worm. A worm propagates itself and activates itself, whereas a bot is
controlled from some central facility, at least initially.
A typical means of implementing the remote control facility is on an IRC
server. All bots join a specific channel on this server and treat incoming messages
as commands. More recent botnets tend to avoid IRC mechanisms and use covert
communication channels via protocols such as HTTP. Distributed control mechanisms
are also used, to avoid a single point of failure.
Once a communications path is established between a control module and the
bots, the control module can activate the bots. In its simplest form, the control module
simply issues command to the bot that causes the bot to execute routines that
are already implemented in the bot. For greater flexibility, the control module can
issue update commands that instruct the bots to download a file from some Internet
location and execute it. The bot in this latter case becomes a more general-purpose
tool that can be used for multiple attacks.

34. Rootkit
Set of programs installed on a system to maintain administrator (or root) access to that system
Root access provides access to all the functions and services of the operating system
The rootkit alters the host’s standard functionality in a malicious and stealthy way
with root access an attacker has complete control of the system and can add or change programs and files, monitor processes, send and receive network traffic, and get backdoor access on demand
A rootkit hides by subverting the mechanisms that monitor and report on the processes, files, and registries on a computer
A rootkit is a set of programs installed on a system to maintain administrator (or
root) access to that system. Root access provides access to all the functions and
services of the operating system. The rootkit alters the host’s standard functionality
in a malicious and stealthy way. With root access, an attacker has complete control
of the system and can add or change programs and files, monitor processes, send
and receive network traffic, and get backdoor access on demand.
A rootkit can make many changes to a system to hide its existence, making
it difficult for the user to determine that the rootkit is present and to identify
what changes have been made. In essence, a rootkit hides by subverting the
mechanisms that monitor and report on the processes, files, and registries on a
computer.

35. System-Level Call Attacks
Programs operating at the user level interact with the kernel through system calls
In Linux each system call is assigned a unique syscall number
Three techniques that can be used to change system calls:
modify the system call table
modify system call table targets
redirect the system call table
System-Level Call Attacks
Programs operating at the user level interact with the kernel through system calls.
Thus, system calls are a primary target of kernel-level rootkits to achieve concealment.
As an example of how rootkits operate, we look at the implementation of
system calls in Linux. In Linux, each system call is assigned a unique syscall number .
When a user-mode process executes a system call, the process refers to the system
call by this number. The kernel maintains a system call table with one entry per
system call routine; each entry contains a pointer to the corresponding routine. The
syscall number serves as an index into the system call table.
[LEVI06] lists three techniques that can be used to change system calls:
• Modify the system call table: The attacker modifies selected syscall addresses
stored in the system call table. This enables the rootkit to direct a system call
away from the legitimate routine to the rootkit’s replacement. Figure 14.6
shows how the knark rootkit achieves this.
• Modify system call table targets: The attacker overwrites selected legitimate
system call routines with malicious code. The system call table is not changed.
Redirect the system call table: The attacker redirects references to the entire
system call table to a new table in a new kernel memory location.

36. Summary
Computer security is the protection afforded to an information system to preserve system resources
CIA triad is confidentiality, integrity, availability; the fundamental security objectives
Threat consequences: unauthorized disclosure, deception, disruption, usurpation
Virus – a piece of software that can infect and modify other programs; three parts are infection mechanism, trigger, and payload
A strategy for locating and identifying vulnerable machines is scanning or fingerprinting
Rootkit a set of programs installed on a system to maintain administrator access to that system
Computer and network assets: hardware, software, data, communication lines
Network security attacks can be classified as passive attacks and active attacks
Intruders: hackers, criminals, insider attacks
Malware – malicious software
Backdoor – a secret entry point
Worm – a program that can replicate itself across a network
A program that secretly takes over another Internet-attached computer and uses it to launch attacks is a bot
Chapter 14 summary.